Home page logo

webappsec logo WebApp Sec mailing list archives

Re: myspace hack
From: Tim Brown <tmb () 65535 com>
Date: Fri, 14 Oct 2005 16:04:39 +0100

On Friday 14 Oct 2005 15:29, Reynolds, Jake wrote:
I wouldn't consider this an XSS attack. Where in the attack did information
cross sites? This seems like it is an embedded XSS attack in that a
malicious script was entered into a profile in hopes that victims would
view and execute it. However, nothing was sent across sites via the script.
The vulnerability was a lack of output validation in my opinion, which is
the same vulnerability that an XSS attack would exploit. I don't know how
you would classify the attack... Probably "self-replicating session
riding". Yeah that has a nice FUD-factor to it.

I coined the term Same Site Scripting to describe the act of abusing 
XMLHttpRequest whilst playing around with this attack vector for a paper I'm 
writing.  Anyone have a better suggestion?

Tim Brown
<mailto:tmb () 65535 com>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]